From 50386649b4132ae200e8c1c60354593abda58bf7 Mon Sep 17 00:00:00 2001
From: "alexey.ponomarev" <aponomarev@wallarm.com>
Date: Thu, 22 Aug 2024 18:10:44 +0600
Subject: [PATCH 1/2] NODE-5655 add docker auth to tests

---
 .github/workflows/test.yaml            | 22 ++++++++++++++++++++--
 helm/test/run_chart_tests.sh           | 22 +++++++++++++++++++++-
 helm/values.test.yaml                  |  4 +++-
 kind/docker/manifests/init/pytest.yaml |  2 ++
 4 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index b8b060b..543a2c0 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -153,7 +153,10 @@ jobs:
           role: ${{ secrets.VAULT_ROLE }}
           method: kubernetes
           path: kubernetes-ci
-          secrets: kv-gitlab-ci/data/github/sidecar api_token
+          secrets: |
+            kv-gitlab-ci/data/github/sidecar api_token ;
+            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
+            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
 
       - name: Checkout
         uses: actions/checkout@v3
@@ -162,6 +165,7 @@ jobs:
 
       - name: Create cluster
         run: |
+          echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin
           kind create cluster \
             --config ${GITHUB_WORKSPACE}/helm/test/kind/kind.yaml \
             --image kindest/node:v${{ matrix.kubeVersion }} \
@@ -170,6 +174,11 @@ jobs:
           kubectl cluster-info
           kubectl wait --for=condition=Ready pods --all --timeout=180s -n kube-system
           echo "current-context:" $(kubectl config current-context)
+          echo "[test-env] creating secret docker-registry ..."
+          kubectl create secret docker-registry dockerhub-secret \
+            --docker-username="${DOCKERHUB_USER}" \
+            --docker-password="${DOCKERHUB_PASSWORD}" \
+            --docker-email=docker-pull@unexists.unexists
       
       - name: Load cache
         if: ${{ inputs.load_artifact }}
@@ -227,7 +236,10 @@ jobs:
           role: ${{ secrets.VAULT_ROLE }}
           method: kubernetes
           path: kubernetes-ci
-          secrets: kv-gitlab-ci/data/github/sidecar api_token | WALLARM_API_TOKEN
+          secrets: |
+            kv-gitlab-ci/data/github/sidecar api_token | WALLARM_API_TOKEN ;
+            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
+            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
 
       - name: Checkout
         uses: actions/checkout@v3
@@ -236,8 +248,14 @@ jobs:
 
       - name: Create cluster
         run: |
+          echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin
           kind create cluster --image kindest/node:v1.28.7
           kubectl wait --for=condition=Ready pods --all --timeout=180s -n kube-system
+          echo "[test-env] creating secret docker-registry ..."
+          kubectl create secret docker-registry dockerhub-secret \
+            --docker-username="${DOCKERHUB_USER}" \
+            --docker-password="${DOCKERHUB_PASSWORD}" \
+            --docker-email=docker-pull@unexists.unexists
           
       - name: Load cache
         if: ${{ inputs.load_artifact }}
diff --git a/helm/test/run_chart_tests.sh b/helm/test/run_chart_tests.sh
index 326d1c0..722a802 100755
--- a/helm/test/run_chart_tests.sh
+++ b/helm/test/run_chart_tests.sh
@@ -23,8 +23,20 @@ CT_NAMESPACE="ct"
 SECRET_NAME="wallarm-api-token"
 SECRET_KEY="token"
 
+
+# This will prevent the secret for index.docker.io from being used if the DOCKERHUB_USER is not set.
+if [ "${DOCKERHUB_USER:-false}" = "false" ]; then
+  DOCKERHUB_REGISTRY_SERVER="fake_docker_registry_server"
+fi
+
+DOCKERHUB_SECRET_NAME="dockerhub-secret"
+DOCKERHUB_USER="${DOCKERHUB_USER:-fake_user}"
+DOCKERHUB_PASSWORD="${DOCKERHUB_PASSWORD:-fake_password}"
+
 HELM_EXTRA_ARGS="--timeout 180s"
-HELM_EXTRA_SET_ARGS="--set config.wallarm.api.token=${WALLARM_API_TOKEN} ${HELM_ARGS:-}"
+HELM_EXTRA_SET_ARGS="--set config.wallarm.api.token=${WALLARM_API_TOKEN} \
+  --set imagePullSecrets[0].name=${DOCKERHUB_SECRET_NAME} \
+  ${HELM_ARGS:-}"
 
 # Handle the case when we run chart testing with '--upgrade' option
 if [[ "${CT_MODE:-}" == "upgrade" ]]; then
@@ -43,6 +55,14 @@ if ! kubectl -n ${CT_NAMESPACE} get secret "${SECRET_NAME}" &> /dev/null; then
   kubectl -n ${CT_NAMESPACE} create secret generic "${SECRET_NAME}" --from-literal="${SECRET_KEY}"="${WALLARM_API_TOKEN}"
 fi
 
+if ! kubectl -n ${CT_NAMESPACE} get secret "${DOCKERHUB_SECRET_NAME}" &> /dev/null; then
+  echo "Creating secret ${DOCKERHUB_SECRET_NAME}..."
+  kubectl -n ${CT_NAMESPACE} create secret docker-registry "${DOCKERHUB_SECRET_NAME}" \
+              --docker-username="${DOCKERHUB_USER}" \
+              --docker-password="${DOCKERHUB_PASSWORD}" \
+              --docker-email=docker-pull@unexists.unexists
+fi
+
 cat <<EOF > ct.sh
 #!/bin/bash
 set -e
diff --git a/helm/values.test.yaml b/helm/values.test.yaml
index 82513d7..de75e36 100644
--- a/helm/values.test.yaml
+++ b/helm/values.test.yaml
@@ -8,4 +8,6 @@ config:
     fallback: "off"
 
 controller:
-  replicaCount: 1
\ No newline at end of file
+  replicaCount: 1
+imagePullSecrets:
+  - name: dockerhub-secret
diff --git a/kind/docker/manifests/init/pytest.yaml b/kind/docker/manifests/init/pytest.yaml
index 7717e2b..26fcb67 100644
--- a/kind/docker/manifests/init/pytest.yaml
+++ b/kind/docker/manifests/init/pytest.yaml
@@ -21,6 +21,8 @@ spec:
       labels:
         app.kubernetes.io/name: pytest
     spec:
+      imagePullSecrets:
+        - name: dockerhub-secret
       serviceAccountName: pytest
       containers:
       - name: pytest

From 61efda173839aff815a3beac20cd75e73a0cccf2 Mon Sep 17 00:00:00 2001
From: "alexey.ponomarev" <aponomarev@wallarm.com>
Date: Thu, 22 Aug 2024 23:11:24 +0600
Subject: [PATCH 2/2] NODE-5655 add docker auth to tests

---
 .github/workflows/ci.yaml                     |  2 ++
 .github/workflows/test.yaml                   | 24 +++++++++----------
 .../ci/deployment-existing-secret-values.yaml |  4 +++-
 .../deployment-external-tarantool-values.yaml |  4 +++-
 helm/ci/deployment-values.yaml                |  2 ++
 test/smoke/run.sh                             |  3 ++-
 6 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index be9ce5a..e438595 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -5,6 +5,8 @@ on:
     branches: ['main']
     types: ['opened', 'reopened', 'synchronize']
     paths:
+      - '.github/workflows/ci.yaml'
+      - '.github/workflows/test.yaml'
       - 'helm/**'
       - 'files/**'
       - 'cmd/**'
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 543a2c0..86c7a60 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -154,9 +154,9 @@ jobs:
           method: kubernetes
           path: kubernetes-ci
           secrets: |
-            kv-gitlab-ci/data/github/sidecar api_token ;
             kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
             kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
+            kv-gitlab-ci/data/github/sidecar api_token ;
 
       - name: Checkout
         uses: actions/checkout@v3
@@ -174,11 +174,6 @@ jobs:
           kubectl cluster-info
           kubectl wait --for=condition=Ready pods --all --timeout=180s -n kube-system
           echo "current-context:" $(kubectl config current-context)
-          echo "[test-env] creating secret docker-registry ..."
-          kubectl create secret docker-registry dockerhub-secret \
-            --docker-username="${DOCKERHUB_USER}" \
-            --docker-password="${DOCKERHUB_PASSWORD}" \
-            --docker-email=docker-pull@unexists.unexists
       
       - name: Load cache
         if: ${{ inputs.load_artifact }}
@@ -193,6 +188,11 @@ jobs:
       - name: Install Helm chart
         run: |
           unset KUBERNETES_SERVICE_HOST
+          echo "[test-env] creating secret docker-registry ..."
+          kubectl create secret docker-registry dockerhub-secret \
+            --docker-username="${DOCKERHUB_USER}" \
+            --docker-password="${DOCKERHUB_PASSWORD}" \
+            --docker-email=docker-pull@unexists.unexists
           helm install wallarm-sidecar ./helm -f helm/values.test.yaml \
             --set config.wallarm.api.token=${API_TOKEN} \
             --debug \
@@ -209,6 +209,11 @@ jobs:
       - name: Deploy pytest
         run: |
           unset KUBERNETES_SERVICE_HOST
+          kubectl create namespace pytest
+          kubectl -n pytest create secret docker-registry dockerhub-secret \
+            --docker-username="${DOCKERHUB_USER}" \
+            --docker-password="${DOCKERHUB_PASSWORD}" \
+            --docker-email=docker-pull@unexists.unexists
           kubectl apply -f kind/docker/manifests/init/pytest.yaml
           while [[ -z $(kubectl -n pytest get pods -o name) ]]; do
             sleep 1
@@ -237,9 +242,9 @@ jobs:
           method: kubernetes
           path: kubernetes-ci
           secrets: |
-            kv-gitlab-ci/data/github/sidecar api_token | WALLARM_API_TOKEN ;
             kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
             kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;
+            kv-gitlab-ci/data/github/sidecar api_token | WALLARM_API_TOKEN ;
 
       - name: Checkout
         uses: actions/checkout@v3
@@ -251,11 +256,6 @@ jobs:
           echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin
           kind create cluster --image kindest/node:v1.28.7
           kubectl wait --for=condition=Ready pods --all --timeout=180s -n kube-system
-          echo "[test-env] creating secret docker-registry ..."
-          kubectl create secret docker-registry dockerhub-secret \
-            --docker-username="${DOCKERHUB_USER}" \
-            --docker-password="${DOCKERHUB_PASSWORD}" \
-            --docker-email=docker-pull@unexists.unexists
           
       - name: Load cache
         if: ${{ inputs.load_artifact }}
diff --git a/helm/ci/deployment-existing-secret-values.yaml b/helm/ci/deployment-existing-secret-values.yaml
index 4db69d5..92ffe6e 100644
--- a/helm/ci/deployment-existing-secret-values.yaml
+++ b/helm/ci/deployment-existing-secret-values.yaml
@@ -1,5 +1,7 @@
+imagePullSecrets:
+  - name: dockerhub-secret
 config:
   wallarm:
     api:
       existingSecret:
-        enabled: true
\ No newline at end of file
+        enabled: true
diff --git a/helm/ci/deployment-external-tarantool-values.yaml b/helm/ci/deployment-external-tarantool-values.yaml
index 2ae1562..fad5b72 100644
--- a/helm/ci/deployment-external-tarantool-values.yaml
+++ b/helm/ci/deployment-external-tarantool-values.yaml
@@ -1,4 +1,6 @@
+imagePullSecrets:
+  - name: dockerhub-secret
 postanalytics:
   external:
     enabled: true
-    host: tarantool.domain.internal
\ No newline at end of file
+    host: tarantool.domain.internal
diff --git a/helm/ci/deployment-values.yaml b/helm/ci/deployment-values.yaml
index e69de29..b44f879 100644
--- a/helm/ci/deployment-values.yaml
+++ b/helm/ci/deployment-values.yaml
@@ -0,0 +1,2 @@
+imagePullSecrets:
+  - name: dockerhub-secret
diff --git a/test/smoke/run.sh b/test/smoke/run.sh
index 91c35ce..fd0889f 100755
--- a/test/smoke/run.sh
+++ b/test/smoke/run.sh
@@ -27,9 +27,10 @@ export INJECTION_STRATEGY="${INJECTION_STRATEGY:-single}"
 
 K8S_VERSION=${K8S_VERSION:-1.28.7}
 
-DOCKERHUB_REGISTRY_SERVER="https://index.docker.io/v1/"
 
 # This will prevent the secret for index.docker.io from being used if the DOCKERHUB_USER is not set.
+DOCKERHUB_REGISTRY_SERVER="https://index.docker.io/v1/"
+
 if [ "${DOCKERHUB_USER:-false}" = "false" ]; then
   DOCKERHUB_REGISTRY_SERVER="fake_docker_registry_server"
 fi